Posted
by
msmash
on Tuesday November 14, 2017 @10:01AM
from the meanwhile-in-Chinese-phones dept.

Catalin Cimpanu, writing for BleepingComputer: Some OnePlus devices, if not all, come preinstalled with an application named EngineerMode that can be used to root the device and may be converted into a fully-fledged backdoor by clever attackers. The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson -- the name of the main character in the Mr. Robot TV series. Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company's servers.

Going from the Nexus4 running LineageOS to a Nexus6P, I stopped rooting. Stock Android had become "good enough" for what I wanted and the only thing I was "missing" was arrow keys in the navbar to move the cursor, which you're now able to turn on through ADB.

But yeah, reading the headline I thought it was describing a feature, not a complaint. I was thinking "that sure is convenient that they can just press a 'be rooted' button in an app and not need to use a PC"

I have an non-rooted Nexus 5 which I've been quite happy with, as it does what I want it to do.Unfortunately, Google no longer offers security updates for the phone, so I guess that my best option going forward is to root it and install Lineage or some other ROM.

What would be the most straightforward and least painful way of going about it? I understand that backup can be a problem.

Oneplus One here with LineageOS (https://download.lineageos.org/bacon) and except for compass calibration it runs better than it did with original firmware. And I can have current security patch level within a week

System apps are (or can easily become) root by design, so they can do a lot of things other apps can't. This is true for ANY OEM ROM since the anals of Android - preloaded apps are signed with developer keys, so they get API and Linux system privileges.

System apps chose to perform anything they want, silently. They don't need to ask permission through UI for stuff like Runtime.exec("su"..., or access protected/secured Android API - they just do it. And even if they don't do it from factory, OEMs like Samsung can just put in place a system-level updater that force app updates (they do this actually with samsung store), and eventually turn system apps into something they originally were not.

Now, Oneplus having an app, a preloaded one at that, which enables third-party apps to have root access is effectively unusual. I am indeed surprised Google sanctioned a ROM with such a feature, because Google does not want typical users circumventing most things Google Play, which can be done with root (common examples are adblocking through hosts files, or changing device properties such as for overclocking) . But then again, this feature is nothing special from a security standpoint. You will still get prompted by the OS whenever an app requests root even after this app turns root on for third-parties.

So, what kind of exploit can be attained from this kind of app in OnePlus devices? Is there anything different than what you could with an app that is signed with dev keys and already has root access? If an actor is managing to trigger root through the EngineeringMode app automagically, he likely also can do similar stuff with system apps that do NOT allow root to thrid-party apps. They are already injecting code or input after all, they can very well go the extra mile and do it all at once. Why bother escalating another app when you're already in control of an escalated process?

I just want to add the fact that before Samsung, Google Play itself updates without user prompt as soon as you get internet. The very first app that was self-updatable, and such an update is unblockable, is Google Play and Google Play Services themselves.

Indeed. Maybe my comment read otherwise, but I completely with you. Unfortunately this is becoming standard, and Android is just one example. Windows Home and it's snooping, it's Administrative Templates who nobody really cares about (wasn't regedit enough of a hassle?), it's unblockablae, P2P-based updates that will work on caped networks as long as one PC in the network has the update; Amazon and it's Kindle Fires and their closed stores; Apple...oh Apple; And Cloud services and storage - that is the drea

I am triple posting just to make one thing very clear: Google, Samsung, and whatever OEM has an app that self-updates or that updates other apps unnatendedly, and most of all, without an opt-out setting, has a backdoor built-in. I'm gonna make it short and bold:

Any Android device with Google Play Services can potentially have a backdoor pushed at Google's discretion.

Same for Samsung's discretion, on any device with Galaxy Apps preinstalled (or whatever it's called this week), only by Samsung.

Which in turn means dev options must be on, for which the OnePlus must be unlocked (screenlock-dismissed) to do so if not already. I'm also assuming it will need to allow the adb-triggering device to be authorized for adb on first prompt, again only doable on an unlocked OnePlus unless the attacker also has the user's PC.

When a phone doesn't have security lockscreens in place, you can assume it's pretty much an open book - most installed apps such as gmail should have been "trusted" by now, and 2-factor aut

From the article... a hidden stream of telemetry data sent by OnePlus devices to the company's servers.

When are we going to find out that this is a.) privacy violation; and b.) just dumb? Even if you can learn things about your users, even if that helps you, how is this better than talking to users? Asking questions? Getting honest feedback? Collecting telemetry is somehow... dishonest. It's like you're lying to yourself, looking for a better picture, but what you're really getting is obfuscated view o

Actually, as I tried to explain in my comment, they are simply stating something for OnePlus hat actually also happens in any device. Any OEM can potentially covert one of its preloaded apps into a backdoor, or simply force installation of one signed with their keys, which grants them root.

I believe this is called cherry-picking - in this case picking one OEM that does one (supposedly bad) thing, but not actually admiting everyone else can do the exact same...

Oh my god, you're dumber than I suspected, some might say "almost fanboy"... OnePlus are decent and all, but they're not the 2nd coming of GNU Jesus. They are a for-profit company backed by investors with investor interests, so take a fucking hint. Last time I checked they no longer provide source code on the OS their devices ship with.

I never said they did anything other than give you total control over the files on your phone. Anything you read into that is on you. Created so that you could make someone other than yourself seem stupid.

I love the way I actually agreed with you, yet somehow you're so dumb, some might even say "almost retarded", to actually notice...

If it wasn't clear: I APPRECIATE THE FACT ONEPLUS DOES THIS, AND MORE COMPANIES SHOULD ALLOW ROOT JUST LIKE SONY DID BACK IN 2011 BY JUST CLICKING A LINK....All I wanted was to make a fucking point that while OnePlus allows third-party, every other OEM also has the means to do it. In fact, they pretty much do it by preloading self-updater apps on their hardware such as Faceboo

Then don't start your reply post with "actually", which isn't often used when agreeing with someone. You caused this confusion. You used way more words than being straight to your point.
You really don't have a point. Or the point that anyone CAN do this is immaterial, fucking talk about the others that do this NOW.